Contributed by: Nathan McNulty | Originally published on September 5, 2019 (OpsecEdu Blog)
The start of school this year has been unlike any other in the past. The headlines have been littered with school districts who are struggling with email compromise and malware/ransomware attacks. To get a sense of the gravity of the situation, take a quick trip to Twitter and check out Doug Levin’s feed: https://twitter.com/K12CyberMap
This has generated a lot of conversation on our Slack about what is happening and what can be done to address it. Unfortunately, we lack detailed information about these attacks, so that leaves us with following best practices like CIS’s top 20 controls, implementing NIST Cyberframework, etc. and hoping for the best. Inevitably, patch management came up as part of this, and it became very clear that this was a point of contention.
The article below from threatpost was a good starting point for our discussions and definitely worth the read. Unfortunately, it makes the assumption that we have staff that we can hand off vulnerability management to and expect them to reign it in. That doesn’t echo the experiences of most school districts across the nation.
Simply put, you can’t fix problems if you don’t have the staffing to apply the fixes.
threatpost: How to Get a Handle on Patch Management